The Official Malware/Antivirus Thread - Need help or general advice? Read this first!

This thread provides information on malware removal, links to malware removal tools, and recommendations & links to anti-virus software. The intention of this thread is to provide quick and accurate support for malware-related issues and questions.

Many people here are willing to provide assistance if you're having computer problems, and this thread is not meant to discourage people from asking for help.... but, please read the information provided first, or else there's a good chance you'll be sent here, here, or here . We aren't Geek Squad, so while we won't grossly overcharge you for information and advice, we also aren't responsible for anything you do to your computer.

Also, feel free to make suggestions on the content of this post, and I'll try to keep it up to date.Research

Step 3 unzip the Kit, read the instruction file and run the tools in the order given.

Step 4 Thank me in about 3 hours for fixing your shit.

The Rogue Removal Kit is is a zipped file that includes malwarebytes, CCleaner (a registry cleaner that will also delete temporary files), Combofix, Hitman Pro, and HiJackThis (HiJackThis is optional, see below). The instructions guide you through running these tools in Safe Mode With Networking; then running malwarebytes and an online scanner in Normal Mode.

Download it from another computer if possible, or from Safe Mode With Networking on the infected machine.

Verify you are downloading from a legit source and are not being redirected to a site where you'll end up downloading more malware. If you click on any links above, verify the link in the bottom left before clicking on it, then after clicking the link verify that's where you were taken in the address bar.

The elitekiller article mentions downloading the software to a USB drive. Do not download the software to a USB drive on the infected machine if you're not in Safe Mode, or else you risk infecting the USB drive and other computers you connect the drive to in the future.

Other Helpful Tips & Tools

Rkill will kill processes that may be preventing scanners from completely removing malware.

To get into Safe Mode With Networking, press F8 every couple of seconds while the computer is starting (before the Windows splash screen). If you see the Windows splash screen, you will need to try again. The safe thing to do is log into Windows, restart, and try pressing F8 several times before seeing the Windows splash screen. Alternatively, my advice that falls into the category of “what I'd do if it was my own computer, but wouldn't tell someone to do it if I worked in tech support” would be, if you didn't get into Safe Mode the first time and you're at the Windows splash screen, hold down the power button until the computer turns off. When you start the computer again, it should automatically ask you if you want to go into Safe Mode With Networking.

HiJackThis is a tool that will create a log file that can be analyzed by geeks to see what is running on your computer. Install and run HiJackThis (preferably in Safe Mode With Networking), and select 'Do a system scan and save a log file'. You can then copy/paste the output to this thread, and with any luck, someone will stop by and let you know what you can delete. You can then checkmark the items in HiJackThis and click 'Fixed checked'.

If you don't get a quick response here or would rather do it yourself, you can also go to http://hijackthis.de/, which is an online analyzer for your HiJackThis log. Simply copy and paste the log into the text box and click the Analyze button. During my testing of the site, I found it wasn't perfect, especially when a proxy was setup (the visitor rating would be 'extremely nasty', but the site itself would say it was safe)... but, it's at least a good tool that can significantly shorten the time it takes to analyze the log, and it gives you an idea of which entries you can delete or at least Google/post here for further research.

You can also look at the responses to HiJackThis posts in this thread to get an idea of what is safe and what should be removed.

Windows Performance

A good starting point to knowing what processes and services are running on your computer is a HiJackThis log. There's also a lot of information that's only a Google search away.

To manage the process that start when Windows starts, use msconfig (Start button -> Run... -> msconfig -> Startup tab). This is a good resource on startup processes, and it includes a large database of startup processes with information on whether they're required to run Windows or if it's okay to uncheck them. You basically want processes that are in c:\Windows checked, and you can generally uncheck processes in c:\program files (but there are exceptions, like your antivirus), but do some research (Google, the provided links, this thread) if you're not sure. Adobe, Apple (including qttask, Boujour, AppleUpdater, etc), and any messenger program (unless you have it sign you in at startup) are always the first ones to get unchecked on my computer.

Services can be a little tougher to manage, because it's usually a much longer list, and it's not as simple as flipping them on or off. This is a great resource for managing Windows services (Start button -> Run... -> services.msc). Simply choose your version of Windows and then click on the Service Configuration link. It presents the default setup, a safe setup (what most people can use without any consequences), a tweaked setup for faster startup, and a bare bones setup for the super geek. There's also a Tweaks page for stuff like Adding/Removing programs and System Restore.

I ran into a strange virus/trojan last night called Windows Defender*. It installed on my computer (not sure how) and it looked like a virus-scan or spyware-removal dashboard. I tried to close it so that I could uninstall it, but it just went into the system tray. Right-clicking the system tray icon didn't show an 'Exit' or 'Shut Down' option, so I went to Task Manager to kill the process. Task Manager would open for a second, then close. I tried it over and over thinking "oh crap". I rebooted, and the 'Defender' app started up immediately and proceeded to end other processes. I tried Task Manager again, and it closed after a second. I opened up Firefox to try and look it up, and Firefox closed after a second. Everything I tried to open would close almost immediately (even running 'cmd' and 'msconfig.exe').

During one of the times Task Manager flashed open, I saw that one of the processes was 'defender.exe'. I opened Windows Explorer, which luckily stayed open, and searched for it. Sure enough, defender.exe was sitting in the Users directory (I'm running Vista). I tried to delete, but couldn't because the process was running. So I renamed it and rebooted. This time, it didn't run on startup, so I quickly went in and deleted defender.exe and went into msconfig.exe and removed it from startup. I also went into the registry and removed all entries that contained 'defender.exe'.

It was 1:30am by the time I got rid of it, so I shut down my machine and went to bed. Tonight, I plan on doing a full system scan: AVG, Ad-Aware, and a few of the programs mentioned in this thread. From what I gathered, it was just a bogus app that tries to get people to buy "full version" to get rid of whatever virus it says you have.

I think everything is ok now, but just want to make sure. Any thing else I should be doing or looking for?

==========
* Not THE Windows Defender, just trying to disguise itself as legit.

C:\Program Files\Brownie\BrStsWnd.exe
C:\Program Files\Brownie\brpjp04a.exe
O4 - HKCU\..\RunOnce: [BrStsWnd.exe] C:\Program Files\Brownie\BrStsWnd.exe WindowsStartUpModelThe Brownie stuff got some hits on Google as redirect malware... you could check Program Files and run HiJackThis again just to make sure it was all deleted.

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')The startup programs look fine (much shorter than normal, actually)... I guess you could Google some of the Think Pad/Lenovo/IBM stuff to see if it's all necessary, but at first glance it looks like you would need all of it. Google Talk and maybe Picasa are the only things that would be slowing things down... you might be as anal as I am about startup programs.

Services can suck, and when I get time I might update the OP and add some resources on what can be shut off and what can be set to manual... it can make a big difference in the time it takes to get a usable desktop. Anyway, do NOT checkmark/delete any of these while using HiJackThis, but you could go to Start -> Run -> services.msc, right click on the service, go to properties, and set some of these to Manual, depending on how often you use some of that stuff. That will prevent them from starting up on their own when Windows starts, which can speed things up.

And you could turn off a lot of the Lenovo stuff if you want. A lot of the Lenovo stuff is doing the same thing that is built in to the OS, like power management, sound, and wireless stuff. It's usually easier and more efficient to let Windows handle those sorts of things.

Services can suck, and when I get time I might update the OP and add some resources on what can be shut off and what can be set to manual... it can make a big difference in the time it takes to get a usable desktop. Anyway, do NOT checkmark/delete any of these while using HiJackThis, but you could
go to Start -> Run -> services.msc, right click on the service, go to properties, and set some of these to Manual, depending on how often you use some of that stuff. That will prevent them from starting up on their own when Windows starts, which can speed things up.

I think the second part of this post needs repeated. This is a wonderful way to take control of running processes on your computer. Very useful for both resource management and diagnosis when something's wrong. More people should familiarize themselves with this.

My wife got one of those pop-ups that says you have a virus and you need to run the scan. In all her infinite wisdom, she clicked to run the scan. Now it's got her computer 13 different kinds of FUBAR. I downloaded the rouge removal to a jump drive and copied it to her hard drive. I tried to run the components and every time I start the components up and the "Security Tool" gives me an error and closes the program.

The instructions say to run it in normal mode. Any suggestions? Should I try it in safe mode? Thermonuke the whole ****ing thing? What say you?

My wife got one of those pop-ups that says you have a virus and you need to run the scan. In all her infinite wisdom, she clicked to run the scan. Now it's got her computer 13 different kinds of FUBAR. I downloaded the rouge removal to a jump drive and copied it to her hard drive. I tried to run the components and every time I start the components up and the "Security Tool" gives me an error and closes the program.

The instructions say to run it in normal mode. Any suggestions? Should I try it in safe mode? Thermonuke the whole ****ing thing? What say you?

What instructions say to run what in normal mode? The Elite Killer rogue removal instructions say to run everything in Safe Mode, so I'd follow that (I believe it has you run the scans in safe mode, reboot into normal mode, and run them again). I'd also recommend not using a flash drive, because the crap might have copied itself there so it can spread to any computer you plug it into... I'd just go into Safe Mode with networking and download the stuff, or copy it from the flash drive then format the flash drive (in safe mode).

What instructions say to run what in normal mode? The Elite Killer rogue removal instructions say to run everything in Safe Mode, so I'd follow that (I believe it has you run the scans in safe mode, reboot into normal mode, and run them again). I'd also recommend not using a flash drive, because the crap might have copied itself there so it can spread to any computer you plug it into... I'd just go into Safe Mode with networking and download the stuff, or copy it from the flash drive then format the flash drive (in safe mode).

The readme in the folder says to try to run them in normal mode.

Well, DaFace helped me out (He's the man). I managed to get into safe mode and do a system restore. I think it worked. I'm currently running MBAM in Normal Mode. Hopefully that will be the end of it.

All of the sudden my internet is taking 3x as long to do things, I havent really tried to do anything else on my computer other than go on the internet, so I don't know if its just the internet or if I have a virus, BUT...

I downloaded HijackThis and MalwareBytes.

MalwareBytes says I have 3 infected files when I ran a quick scan (I just ran a quick scan with Avast the other day and nothing popped up).

All of the sudden my internet is taking 3x as long to do things, I havent really tried to do anything else on my computer other than go on the internet, so I don't know if its just the internet or if I have a virus, BUT...

I downloaded HijackThis and MalwareBytes.

MalwareBytes says I have 3 infected files when I ran a quick scan (I just ran a quick scan with Avast the other day and nothing popped up).

Looks like Malwarebytes found the trojan, but it says No Action taken. Be sure you actually remove it in Malwarebytes. The line I highlighted in the log is likely the source of the download trojan.

And is there a reason you have a Comodo VPN client running on your system? If you're not actively using that, I'd remove it.

I'm also a little concerned about all the missing system files that HijackThis is listing. It looks like you upgraded from Vista to Win7, and it left a bunch of dead links in your registry. If you're familiar with editing the registry, I'd remove those.

Looks like Malwarebytes found the trojan, but it says No Action taken. Be sure you actually remove it in Malwarebytes. The line I highlighted in the log is likely the source of the download trojan.

And is there a reason you have a Comodo VPN client running on your system? If you're not actively using that, I'd remove it.

I'm also a little concerned about all the missing system files that HijackThis is listing. It looks like you upgraded from Vista to Win7, and it left a bunch of dead links in your registry. If you're familiar with editing the registry, I'd remove those.

Is it safe for me to just remove those items in Malwarebytes? I wasn't sure if it would **** up my computer if I did.

Also, I'm not familiar with editing the registry, I don't want to screw that up.